Mercadona fined with 170,000 thousand euros

Mercadona fined with 170,000 euros

The Valencian supermarket company Mercadonahas been sanctioned by the AEPD with a fine of 170,000 euros (File Nº: PS/00267/2021) due to a deficient attention in the exercise of rights of a user. In short, for not complying with the Data Protection Regulations.

Context

A user suffered an accident on the supermarket premises, and in order to claim damages, she exercised her right of access to the images from the security cameras, through the form on Mercadona’s website.

No response was received, and the same request was sent to the Data Protection Delegate (DPD), who indicated that he had not received the request to exercise any right, in addition to the fact that the images requested were no longer in his possession, as they had been deleted from the system since more than a month had passed since the events.

The user filed a complaint with Mercadona on its website, to which she never received a response.

Subsequently, Mercadona reached an agreement with the user for the compensation of damages for the non-exercise of her right of access, where it was accepted by the supermarket that there was a human error that caused the request not to be sent to the DPD.

Position of the AEPD

Regarding the exercise of rights

We can all exercise our data protection rights, and this implies an obligation for the data controller to provide a timely response, even if the data requested is not in its possession. even if the data requested is not in its possession.

In order to provide a timely response, the responsible party must follow its own internal procedures and issue the response within 1 month from the receipt of the request. Photo: osta.es

In the specific case, Mercadona never stated that it was unaware of the user’s request, nor did it explain in detail why the request was not answered in due time and form, but alleged an involuntary human error that prevented the management and attention of the request, which is not admissible, since if a request is received, it must be answered by legal obligation, otherwise, the responsible party would be acting in a non-diligent manner.

Preservation of images from video recordings

The regulation establishes a one-month term for the conservation of images from video recordings, so that, after that date, it would be lawful to delete them. It should be noted that the conservation period coincides with the time limit for those responsible for the resolution of requests for the exercise of rights.

In this specific case, in the request for the exercise of the right of access by the user, it was clearly stated that she was requesting the images from the cameras to claim the damage, a circumstance that was subsequently brought to Mercadona’s attention again by the user’s representative, so that Mercadona, as the data controller, should have kept the images knowing the user’s interest.

This case finds its legal basis in paragraph f) of art. 6.1 of the RGPD, where the processing is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party, in conjunction with the right to effective judicial protection under Article 24 of the Constitution.

Effects of the infraction committed

Mercadona alleges that there is no legal basis to open a sanctioning procedure against it, since an out-of-court agreement was reached with the user in which she was compensated for the damages caused, as well as for the fact of not having complied with her request for access in due time and form.

The AEPD points out that, even if there is evidence of such an agreement between the parties, this cannot be considered as having restored the rights of the interested parties, since in the specific case, the user’s right of access could not be restored because the images of the video recordings had already been deleted, and therefore, it was not possible to access them, as reliable evidence in her claim.

Important points of the resolution

  1. Faced with the right of users to exercise their data protection rights, there is always a responsibility on the part of data controllers to comply with them, and this obligation cannot be ignored.
  2. When in a request for access, the information requested is intended to support a claim, whether judicial or extrajudicial, the period of conservation of this must be taken into account, since in a weighing of rights, the right to effective judicial protection is above the right to data protection, when there is a decrease in the possibility of arguing the defense.
  3. An inter-party agreement of a private nature is not susceptible to be considered as reparation of the rights and freedoms of the individual, when the damage is irrecoverable with respect to the exercise of personal data protection rights.
  4. The reparation of people’s rights does not exonerate those responsible for the infractions that derive from their actions, as well as the sanctions that may be determined in this respect.
Contact us, we will be pleased to help you.
error: Content is protected !!